-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift API for Data Protection (OADP) 1.1.0 security and bug fix update Advisory ID: RHSA-2022:6290-01 Product: OpenShift API for Data Protection Advisory URL: https://access.redhat.com/errata/RHSA-2022:6290 Issue date: 2022-09-01 CVE Names: CVE-2021-3634 CVE-2021-40528 CVE-2022-1271 CVE-2022-1292 CVE-2022-1586 CVE-2022-2068 CVE-2022-2097 CVE-2022-21698 CVE-2022-24675 CVE-2022-25313 CVE-2022-25314 CVE-2022-26691 CVE-2022-28327 CVE-2022-29154 CVE-2022-29824 CVE-2022-30629 CVE-2022-30631 CVE-2022-32206 CVE-2022-32208 ==================================================================== 1. Summary: OpenShift API for Data Protection (OADP) 1.1.0 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Security Fix(es) from Bugzilla: * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) * prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698) * golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675) * golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327) * golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 5. JIRA issues fixed (https://issues.jboss.org/): OADP-145 - Restic Restore stuck on InProgress status when app is deployed with DeploymentConfig OADP-154 - Ensure support for backing up resources based on different label selectors OADP-194 - Remove the registry dependency from OADP OADP-199 - Enable support for restore of existing resources OADP-224 - Restore silently ignore resources if they exist - restore log not updated OADP-225 - Restore doesn't update velero.io/backup-name when a resource is updated OADP-234 - Implementation of incremental restore OADP-324 - Add label to Expired backups failing garbage collection OADP-382 - 1.1: Update downstream OLM channels to support different x and y-stream releases OADP-422 - [GCP] An attempt of snapshoting volumes on CSI storageclass using Velero-native snapshots fails because it's unable to find the zone OADP-423 - CSI Backup is not blocked and does not wait for snapshot to complete OADP-478 - volumesnapshotcontent cannot be deleted; SnapshotDeleteError Failed to delete snapshot OADP-528 - The volumesnapshotcontent is not removed for the synced backup OADP-533 - OADP Backup via Ceph CSI snapshot hangs indefinitely on OpenShift v4.10 OADP-538 - typo on noDefaultBackupLocation error on DPA CR OADP-552 - Validate OADP with 4.11 and Pod Security Admissions OADP-558 - Empty Failed Backup CRs can't be removed OADP-585 - OADP 1.0.3: CSI functionality is broken on OCP 4.11 due to missing v1beta1 API version OADP-586 - registry deployment still exists on 1.1 build, and the registry pod gets recreated endlessly OADP-592 - OADP must-gather add support for insecure tls OADP-597 - BSL validation logs OADP-598 - Data mover performance on backup blocks backup process OADP-599 - [Data Mover] Datamover Restic secret cannot be configured per bsl OADP-600 - Operator should validate volsync installation and raise warning if data mover is enabled OADP-602 - Support GCP for openshift-velero-plugin registry OADP-605 - [OCP 4.11] CSI restore fails with admission webhook \"volumesnapshotclasses.snapshot.storage.k8s.io\" denied OADP-607 - DataMover: VSB is stuck on SnapshotBackupDone OADP-610 - Data mover fails if a stale volumesnapshot exists in application namespace OADP-613 - DataMover: upstream documentation refers wrong CRs OADP-637 - Restic backup fails with CA certificate OADP-643 - [Data Mover] VSB and VSR names are not unique OADP-644 - VolumeSnapshotBackup and VolumeSnapshotRestore timeouts should be configurable OADP-648 - Remove default limits for velero and restic pods OADP-652 - Data mover VolSync pod errors with Noobaa OADP-655 - DataMover: volsync-dst-vsr pod completes although not all items where restored in the namespace OADP-660 - Data mover restic secret does not support Azure OADP-698 - DataMover: volume-snapshot-mover pod points to upstream image OADP-715 - Restic restore fails: restic-wait container continuously fails with "Not found: /restores//.velero/" OADP-716 - Incremental restore: second restore of a namespace partially fails OADP-736 - Data mover VSB always fails with volsync 0.5 6. References: https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-26691 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32206 https://access.redhat.com/security/cve/CVE-2022-32208 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYxA0ftzjgjWX9erEAQgcZBAAhpl5yhUlRDVqai0DF0VUbpNENP0oqAEU nSI4eOGm66Y8d2Qtymae3HwiP8Fa+FIg+QLlQqJaLSPRpttv1kxmB7vL2fzcDyQ2 6VKUFLV9Lo9oSUqfAlvO8rbSWMvvickV3kTYC+HDgz5/Y3C2JKA1wlhn/5548Iq0 syHaj/sLw3lYK9AsQDrgN+FWFnNgUsqPmb5WmgQ3HoYP4Ksq1jpcnWAtqkNl7eT4 IeBAl1B8+I5l4eDj20HJyaGh5h37loCLW1NhcVeoqrwqnkWKVXcbXeYanEoRGCya Y38JtNmFlNLjQ69sWoyLonDqKdNQmnbhWRYzRjQF7nGAB+STG9uJ1e1e75T4IoD7 m0gMS30vjC9rqV455m8sOeDwNf+1rPAXmgC5QR1mEavd1LphlHkO56a+j4aPVPGV V/ItM94tAuFvdkL7ZPRMxNux0CMzkBtvEeh3wbUXWF1UKw6ew8yhLHoUevCI2paT ggXr3kbBV5yAKgT/+c6TRGYiI66pV1RjCOpE/tJYYpiNhq2dhxjpm0e9RRxLtoTK EazQq5tWEYDqNcY2LmXIAwgnIhygqy6HXVBI04rqdI4WKgHPtnp8vfSNaArfSCUP kC85ROZc6ZTBOPVWEBT34Y64lPO37jzXhuvvytOmOtUJbuWn4XFl9rRswRnv/yKU Rl4NtEV1XHs=zaXV -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce